CN107508827A - A kind of message parsing method and device - Google Patents
A kind of message parsing method and device Download PDFInfo
- Publication number
- CN107508827A CN107508827A CN201710833249.4A CN201710833249A CN107508827A CN 107508827 A CN107508827 A CN 107508827A CN 201710833249 A CN201710833249 A CN 201710833249A CN 107508827 A CN107508827 A CN 107508827A
- Authority
- CN
- China
- Prior art keywords
- message
- key
- address
- type
- real
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention, which provides a kind of message parsing method and device, wherein methods described, includes step:Receive message and set up into key message Key;Preset behavioural analysis table is inquired about according to the key message Key of the establishment;Judge whether received message is special type message;When special type message, then it is real-time type message or big flow message to judge the special type message;When for real-time type message, then priority scheduling processor handles this message in real time, and then message is sent to destination interface;When for big flow message, then carrying out burst processing, sent after the completion of processing to destination interface.The present invention can carry out priority treatment for real-time type message, for big flow type message, take burst to handle, realize homologous chummage;In addition, the Network analyzing equipment of the present invention can avoid repeating a series of profound packet parsings when identical message receives again, the burden for aggravating analytical equipment is avoided, so as to save the cpu resource of Network analyzing equipment.
Description
Technical field
The present invention relates to service message analytic technique field, and in particular to a kind of message parsing method and device.
Background technology
In the message processing method of existing Network analyzing equipment, burst information handling process is normally comprised, wherein main
The handling process wanted includes the processing of preset burst information table, and the burst information mark in burst information table is sought pair
The specific processor numbering answered.If big flow message then carries out burst processing, the key message of message is extracted to preset
Burst information table is searched, to ensure the final homologous chummage of message.For example, number of patent application is
201210049845.0, it is entitled《Message diversion method, device, processor and the network equipment》Chinese invention patent,
Message processing method as described above is which described, referring to Fig. 1, in the patent of invention, burst information processing step includes:
Step 101, equipment receives the key message of message and analytic message, including:Outer layer IP, internal layer IP and the message mark;
Step 102, burst information of the equipment in heading judges whether the message is fragment message;Step 103, if above-mentioned report
Text is fragment message, is searched in the burst information table to prestore and above-mentioned fragment message outer layer IP address and fragment message mark pair
The processor numbering answered;Step 104, when finding outer layer IP and message with above-mentioned fragment message in above-mentioned burst information table
Corresponding to the mark of burst during processor numbering, above-mentioned fragment message is issued into corresponding processor, according to burst information table pair
The message of reception carries out burst processing, so as to ensure that successive fragment message is forwarded in same processor, ensures homologous chummage.
Burst information processing scheme disclosed in foregoing invention patent, when carrying out burst processing to the message of reception, pass through
One preset burst information table, find specific processor unit and carry out Message processing, ensure the uniform burst of big flow message
Handle and into same processing unit, ensure that homologous chummage can be realized.However, many messages are not accounted in the above method
Belong to real-time type message and need the situation of timely processing, also do not account for, how to update burst information, to make newly occur
Overlength message can also use burst processing method.
The content of the invention
It is an object of the present invention to for drawbacks described above present in existing message processing method, there is provided a kind of new report
Literary parsing scheme, the program are capable of the priority treatment of the real-time type message of quick response high priority, and can also upgrade in time overlength
The burst information of message, improve the process performance of Network analyzing equipment.To achieve the above object, technical scheme
For:
According to an aspect of the invention, there is provided a kind of message parsing method, including step:
Receive message, and obtain the source MAC of the message, target MAC (Media Access Control) address, source IP address, purpose IP address with
And protocol version, by above-mentioned source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and protocol version group
Build up key message Key;
Preset behavioural analysis table is inquired about according to the key message Key of the establishment, the behavioural analysis table is a kind of note
The key message Key and its corresponding type of message mark flag and the Hash tables of Message processing action of message are recorded;
Judge whether received message is special type message, and the special type message refers to institute according to the Query Result
State the message that the key message Key of establishment can be queried in the behavioural analysis table;
When the message received is special type message, then determine whether the special type message be real-time type message or
Big flow message, the big flow message are the non real-time type message of big data flow;
When the special type message is real-time type message, then according to dispatching algorithm, priority scheduling processor handles this in real time
Message, and send message to destination interface after the completion of processor processing;
When the special type message is big flow message, then burst processing is carried out to the big flow message, and by burst
Information and the processor label record dispatched out are into burst information table, according to the processor of the corresponding label of burst information list scheduling
Burst information is handled, sent after the completion of processing to destination interface.
Preferably, it is described to judge that the special type message is that the specific method of real-time type message or big flow message is:
Type of message mark flag corresponding to the key message Key for judging to be inquired in behavior analytical table is 0 or 1, if
0, then it represents that the special type message is real-time type message, if 1, then it represents that the special type message is big flow message.
Preferably, when the message of the reception is no special type message, the key message Key for being the establishment can not be
The plain edition message being queried in the behavioural analysis table, then carry out common message and perform flow, and handled in processor
Message is sent to destination interface after, the common message performs the hardware that flow refers to design using processor architectural framework
Multinuclear concurrent scheduling mechanism carrys out automatic dispatch processor processing message.
Preferably, the common message, which performs flow, includes:
Whether the message for judging the reception is real-time type message or big flow type message;
If real-time type message, then obtain its source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and
Protocol version, above-mentioned source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and protocol version are set up
0 is labeled as into key message Key, and by type of message mark flag, then by the key message Key of the establishment and its correspondingly
Type of message mark flag be added to as newly-increased list item in the behavioural analysis table;
If big flow type message, then obtain its source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address with
And protocol version, by above-mentioned source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and protocol version group
Build up key message Key, and type of message mark flag is labeled as 1, then by the key message Key of the establishment and its right
The type of message mark flag answered is added in the behavioural analysis table as newly-increased list item.
According to another aspect of the present invention, there is provided a kind of packet parsing device, including:
Receiving module, for receiving message, and obtain the source MAC of the message, target MAC (Media Access Control) address, source IP address,
Purpose IP address and protocol version, by above-mentioned source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and
Protocol version is set up into key message Key;
Enquiry module, for inquiring about preset behavioural analysis table, the behavior point according to the key message Key of the establishment
Analysis table is that a kind of key message Key that have recorded message and its corresponding type of message mark flag and Message processing act
Hash tables;
First judge module, for judging whether received message is special type message according to the Query Result, institute
State special type message and refer to the message that the key message Key of the establishment can be queried in the behavioural analysis table;
Second judge module, it is special type message for working as received message, then determines whether the special type report
Text is real-time type message or big flow datagram-style text, and the big flow message is the non real-time type message of big data flow;
First processing module, for being real-time type message when the special type message, then according to dispatching algorithm, priority scheduling
Processor handles this message in real time, and sends message to destination interface after the completion of processor processing;
Second processing module, for being big flow message when the special type message, then the big flow message is carried out
Burst processing, and burst information and the processor label record dispatched out are adjusted into burst information table according to burst information table
The processor for spending corresponding label is handled burst information, is sent after the completion of processing to destination interface.
Preferably, second judge module, it is special type message to be further used for working as received message, judges to be expert at
It is 0 or 1 by the type of message mark flag corresponding to the key message Key that is inquired in analytical table.
Preferably, when the message of the reception is no special type message, the key message Key for being the establishment can not be
The plain edition message being queried in the behavioural analysis table, then the resolver also include:
3rd processing module, flow is performed for carrying out plain edition message, and send out message after the completion of processor processing
Destination interface is delivered to, the common message performs the hardware multinuclear concurrent scheduling that flow refers to design using processor architectural framework
Mechanism carrys out automatic dispatch processor processing message.
Preferably, the 3rd processing module further comprises:
3rd judge module, for judging whether the message of the reception is real-time type message or big flow message;
First list item creation module, for when the message received is real-time type message, then obtain its source MAC,
Target MAC (Media Access Control) address, source IP address, purpose IP address and protocol version, by above-mentioned source MAC, target MAC (Media Access Control) address, source
IP address, purpose IP address and protocol version are set up into key message Key, and type of message mark flag is labeled as into 0,
Then the table corresponding with the key message Key and type of message of the establishment mark flag is created in the behavioural analysis table
;
Second list item creation module, it is big flow message for working as received message, then obtains its source MAC, mesh
MAC Address, source IP address, purpose IP address and protocol version, by above-mentioned source MAC, target MAC (Media Access Control) address, source IP
Address, purpose IP address and protocol version are set up into key message Key, and type of message mark flag is labeled as into 1, so
The table corresponding with the key message Key and type of message of the establishment mark flag is created in the behavioural analysis table afterwards
.
Present invention advantage specific as follows and beneficial effect:
First, the present invention is provided with the dynamic adding procedure of behavioural analysis table, i.e., according to the message Key of parsing and message history row
Corresponding list item is added into the behavioural analysis table for analysis result, and is stored in using Hash algorithm, hash in internal memory, can
Realize high-speed searching and message efficient parsing.
2nd, the present invention can carry out priority treatment for real-time type message, i.e., mainly use chip multinuclear engine Parallel Scheduling
Algorithm, by software algorithm realize dispatch, so as to ensure that the priority treatment of real-time type message.
3rd, the present invention takes burst to handle, while ensure that the message for belonging to same stream is final for big flow type message
Handled by same processor, realize homologous chummage, ensure that the correct processing of data message.
4th, Network analyzing equipment of the invention can avoid repeating a series of profound levels when identical message receives again
Packet parsing, avoid aggravate analytical equipment burden, so as to save the cpu resource of Network analyzing equipment.
5th, the present invention carries out classification processing to message, can quickly and accurately handle message, improve network analysis and set
Standby process performance.
Brief description of the drawings
It is in order to illustrate the technical solution of the embodiments of the present invention more clearly, attached required in being described below to embodiment
Figure does simple introduction, it should be apparent that, drawings discussed below is only some embodiments of the present invention, general for this area
For logical technical staff, on the premise of not paying creative work, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is the flow chart of packet parsing in the prior art;
Fig. 2 is the flow chart of the first embodiment of message parsing method of the present invention;
Fig. 3 is the flow chart of second of embodiment of message parsing method of the present invention;
Fig. 4 is the structured flowchart of the first embodiment of packet parsing device of the present invention;
Fig. 5 is the structured flowchart of second of embodiment of packet parsing device of the present invention.
Embodiment
The embodiment of the embodiment of the present invention is elaborated with reference to Figure of description.
Fig. 2 is the flow chart of the first embodiment of message parsing method of the present invention, as shown in Fig. 2 the packet parsing side
Method includes:
Step 201, message is received, and obtains the source MAC of the message, target MAC (Media Access Control) address, source IP address, purpose
IP address and protocol version, by above-mentioned source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and agreement
Version number is set up into key message Key.
In the present invention, source MAC refers to the source device physical address of message in above-mentioned steps;Target MAC (Media Access Control) address is
Refer to the purpose equipment physical address that message is sent to;Source IP address refers to the IP address of the source device of message;Purpose IP address
Refer to the IP address for being sent to purpose equipment;Protocol version, refers to the protocol type of the 4th layer protocol of message, described 4th layer
Protocol type just like TCP, UDP, SPX etc..
Step 202, preset behavioural analysis table, the behavioural analysis table are inquired about according to the key message Key of the establishment
It is a kind of key message Key that have recorded message and its corresponding type of message mark flag and the Hash of Message processing action
Table.
The behavioural analysis table is one by source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and association
The Key of the key messages such as version number composition and its corresponding Message processing mechanism are discussed, i.e. type of message is marked at flag and message
The Hash tables of reason action composition, the Message processing action include, such as:Immediately treat, abandon, stop.
Step 203, judge whether received message is special type message according to the Query Result, the special type report
Text refers to the message that the key message Key of the establishment can be queried in the behavioural analysis table.
When the key information Key set up can be queried in the behavioural analysis table, that is, the key message Key set up exists
In the presence of in Hash tables, that is, it is special type message to show received message, can be matched in the Hash tables and receive report
The type of message mark of text and specific processing action.
Step 204, when the message received is special type message, then determine whether that the special type message is real-time type
Message or big flow type message, the big flow message are the non real-time type message of big data flow.
In the present invention, the real-time type message is such as can be live, video flowing, i.e., the message that is matched in Hash tables
Type flag is 0, and the big flow type message can be big text, picture, non-instant video file etc., i.e., in Hash tables
The type of message flag matched is 1.
In above-mentioned steps, the message that the reception is gone out according to behavioural analysis voting plan belongs to special type message, is then directed to
Further analysis belongs to real-time type message or big flow type message to the special type message, wherein, above-mentioned further analysis
The type of message marker bit flag being to rely in the result field in behavioural analysis table, if the type of message marker bit
Flag value is 0, then is real-time type message, if the value of the type of message marker bit flag is 1, for big flow message.
Step 205, it is when the special type message is real-time type message, then real according to dispatching algorithm, priority scheduling processor
When handle this message, and message is sent to destination interface after the completion of processor processing.
Dispatching algorithm, it is the hardware multinuclear concurrent scheduling mechanism designed according to processor architectural framework, i.e., in above-mentioned steps
Distributed by the hardware scheduling engine of multinuclear multiprocessing, when there is the higher message of priority ratio, polycaryon processor scheduling engine can
Processor where interrupting one of task is switched in current task, handles the i.e. preferential tune of the high message of this priority level
Processing Algorithm is spent, this message is handled in real time so as to realize.
Step 206, when the special type message is big flow message, then burst processing is carried out to the big flow message,
And by burst information and the processor label record dispatched out into burst information table, according to the corresponding label of burst information list scheduling
Processor burst information is handled, sent after the completion of processing to destination interface.
If the such as big text of big flow message, picture etc., then carry out burst processing, and record burst information and
The processor unit label dispatched out is into burst information table.
In above-mentioned steps, the burst processing is according to the peak load (Maximum that can be carried in the path of networking
Transmission Unit are MTU, refer to the maximum data packet size that can pass through above a kind of a certain layer of communication protocol)
Burst is carried out, a big flow message is divided into multiple data flows and handled, and records the burst information of each fragment message,
Such as source IP address, purpose IP address and processor are identified in burst information table, can so ensure to belong to same big stream
The fragment message of amount is finally handled in same processor, ensures homologous chummage.The fragment message for belonging to a stream together finally exists
After the completion of same processor processing, then according to the target MAC (Media Access Control) address of message, destination interface is sent to.
Fig. 3 is the flow chart of second of embodiment of message parsing method of the present invention, and the message parsing method includes:
Step 301, message is received, and obtains the source MAC of the message, target MAC (Media Access Control) address, source IP address, purpose
IP address and protocol version, by above-mentioned source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and agreement
Version number is set up into key message Key.
In the present invention, source MAC refers to the source device physical address of message in above-mentioned steps;Target MAC (Media Access Control) address is
Refer to the purpose equipment physical address that message is sent to;Source IP address refers to the IP address of the source device of message;Purpose IP address
Refer to the IP address for being sent to purpose equipment;Protocol version, refer to the protocol type of the 4th layer protocol of message.
Step 302, preset behavioural analysis table, the behavioural analysis table are inquired about according to the key message Key of the establishment
It is a kind of key message Key that have recorded message and its corresponding type of message mark flag and the Hash of Message processing action
Table.
The behavioural analysis table is one by source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and association
The Key of the key messages such as version number composition and its corresponding Message processing mechanism are discussed, i.e. type of message is marked at flag and message
The Hash tables of reason action composition, the Message processing action include, such as:Immediately treat, abandon, stop.
Step 303, judge whether received message is special type message according to the Query Result, the special type report
Text refers to the message that the key message Key of the establishment can be queried in the behavioural analysis table.
When the key information Key set up can be queried in the behavioural analysis table, that is, the key message Key set up exists
In the presence of in Hash tables, that is, it is special type message to show received message, can be matched in the Hash tables and receive report
The type of message mark of text and specific processing action.
Step 304, when the message received is special type message, then determine whether that the special type message is real-time type
Message or big flow message, the big flow message are the non real-time type message of big data flow.
In the present invention, the real-time type message is such as can be live, video flowing, i.e., the message that is matched in Hash tables
Type flag is 0, and the big flow type message can be for big text, picture etc., i.e., the message class matched in Hash tables
Type flag is 1.
In above-mentioned steps, the message that the reception is gone out according to behavioural analysis voting plan belongs to special type message, is then directed to
Further analysis belongs to real-time type message or big flow type message to the special type message, wherein, above-mentioned further analysis
The type of message marker bit flag being to rely in the result field in behavioural analysis table, if the type of message marker bit
Flag value is 0, then is real-time type message, if the value of the type of message marker bit flag is 1, for big flow message.
Step 305, it is when the special type message is real-time type message, then real according to dispatching algorithm, priority scheduling processor
When handle this message, and message is sent to destination interface after the completion of processor processing.
Dispatching algorithm, it is the hardware multinuclear concurrent scheduling mechanism designed according to processor architectural framework, i.e., in above-mentioned steps
Distributed by the hardware scheduling engine of multinuclear multiprocessing, when there is the higher message of priority ratio, polycaryon processor scheduling engine can
Processor where interrupting one of task is switched in current task, handles the i.e. preferential tune of the high message of this priority level
Processing Algorithm is spent, this message is handled in real time so as to realize.
Step 306, when the special type message is big flow message, then burst processing is carried out to the big flow message,
And by burst information and the processor label record dispatched out into burst information table, according to the corresponding label of burst information list scheduling
Processor burst information is handled, sent after the completion of processing to destination interface.
If the such as big text of big flow message, picture etc., then carry out burst processing, and record burst information and
The processor unit label dispatched out is into burst information table.
In above-mentioned steps, the burst processing is according to the peak load (Maximum that can be carried in the path of networking
Transmission Unit are MTU, refer to the maximum data packet size that can pass through above a kind of a certain layer of communication protocol)
Burst is carried out, a big flow message is divided into multiple data flows and handled, and records the burst information of each fragment message,
Such as source IP address, purpose IP address and processor are identified in burst information table, can so ensure to belong to same big stream
The fragment message of amount is finally handled in same processor, ensures homologous chummage.The fragment message for belonging to a stream together finally exists
After the completion of same processor processing, then according to the target MAC (Media Access Control) address of message, destination interface is sent to.
Step 307, it is the pass of the establishment when the step 303 judges received message as no special type message
During the plain edition message that key information Key can not be queried in the behavioural analysis table, then carry out common message and perform flow,
The common message is performed flow and refers to be adjusted automatically using the hardware multinuclear concurrent scheduling mechanism of processor architectural framework design
Spend processor processing message.
The common message performs flow and further comprises step:
Step 307a, determine whether the no special type message is real-time type message or big flow message;
Due to the list item to match with message key message Key being not present in behavioural analysis table in the step, i.e., can not
Marked by type of message in User behavior analytical table to know that message is real-time type message or big flow message, now,
Can by other means, as deep-packet detection DPI technologies carry out the type of analytic message.
Step 307b, if the no special type message is real-time type message, with obtaining its source MAC, purpose MAC
Location, source IP address, purpose IP address and protocol version, by above-mentioned source MAC, target MAC (Media Access Control) address, source IP address, mesh
IP address and protocol version set up into key message Key, and by type of message mark flag be labeled as 0, then by institute
The key message Key and its corresponding type of message mark flag for stating establishment are added to the behavioural analysis table as newly-increased list item
In;
Step 307c, if the no special type message is big flow message, with obtaining its source MAC, purpose MAC
Location, source IP address, purpose IP address and protocol version, by above-mentioned source MAC, target MAC (Media Access Control) address, source IP address, mesh
IP address and protocol version set up into key message Key, and by type of message mark flag be labeled as 1, then by institute
The key message Key and its corresponding type of message mark flag for stating establishment are added to the behavioural analysis table as newly-increased list item
In.
In above-mentioned steps 307b and 307c, the message that first time receives is created simultaneously according to parsing situation in behavioural analysis table
List item is added, special type Message processing flow can be directly carried out when receiving the message of same type so as to next time, without entering
Row deep-packet detection, improve packet parsing efficiency.
Fig. 4 is the structured flowchart of the first embodiment of packet parsing device of the present invention, as shown in figure 4, the message
Resolver, including:
Receiving module 400, for receiving message, and with obtaining the source MAC, target MAC (Media Access Control) address, source IP of the message
Location, purpose IP address and protocol version, by above-mentioned source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address with
And protocol version is set up into key message Key.
In the present invention, above-mentioned source MAC refers to the source device physical address of message;Target MAC (Media Access Control) address refers to message
The purpose equipment physical address being sent to;Source IP address refers to the IP address of the source device of message;Purpose IP address refers to send out
Toward the IP address of purpose equipment;Protocol version, refer to the protocol type of the 4th layer protocol of message.
Enquiry module 410, for inquiring about preset behavioural analysis table, the row according to the key message Key of the establishment
It is that a kind of key message Key that have recorded message and its corresponding type of message mark flag and Message processing action for analytical table
Hash tables.
The behavioural analysis table is one by source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and association
The Key of the key messages such as version number composition and its corresponding Message processing mechanism are discussed, i.e. type of message is marked at flag and message
The Hash tables of reason action composition, the Message processing action include, such as:Immediately treat, abandon, stop.
First judge module 420, for judging whether received message is special type message according to the Query Result,
The special type message refers to the message that the key message Key of the establishment can be queried in the behavioural analysis table.
When the key information Key set up can be queried in the behavioural analysis table, that is, the key message Key set up exists
In the presence of in Hash tables, that is, it is special type message to show received message, can be matched in the Hash tables and receive report
The type of message mark of text and specific processing action.
Second judge module 430, it is special type message for working as received message, then determines whether the special type
Message is real-time type message or big flow message, and the big flow message is the non real-time type message of big data flow.
In the present invention, the real-time type message is such as can be live, video flowing, i.e., the message that is matched in Hash tables
Type flag is 0, and the big flow type message can be for big text, picture etc., i.e., the message class matched in Hash tables
Type flag is 1.
In above-mentioned, the message that the reception is gone out according to behavioural analysis voting plan belongs to special type message, then for described
Special type message further analysis belongs to real-time type message or big flow type message, wherein, it is above-mentioned further analysis be according to
Rely the type of message marker bit flag in the result field in behavioural analysis table, if the type of message marker bit flag
It is worth for 0, is then real-time type message, if the value of the type of message marker bit flag is 1, for big flow message.
First processing module 440, for being real-time type message when the special type message, then according to dispatching algorithm, preferentially
Dispatch processor handles this message in real time, and sends message to destination interface after the completion of processor processing.
Dispatching algorithm, it is the hardware multinuclear concurrent scheduling mechanism designed according to processor architectural framework, i.e., by more in above-mentioned
The hardware scheduling engine distribution of core multiprocessing, when there is the higher message of priority ratio, polycaryon processor scheduling engine can interrupt
Processor where one of task is switched in current task, handles the high message of this priority level i.e. at priority scheduling
Adjustment method, this message is handled in real time so as to realize.
Second processing module 450, for being big flow message when the special type message, then the big flow message is entered
The processing of row burst, and by burst information and the processor label record dispatched out into burst information table, according to burst information table
The processor for dispatching corresponding label is handled burst information, is sent after the completion of processing to destination interface.
If the such as big text of big flow message, picture etc., then carry out burst processing, and record burst information and
The processor unit label dispatched out is into burst information table.
In above-mentioned, the burst processing is according to the peak load (Maximum that can be carried in the path of networking
Transmission Unit are MTU, refer to the maximum data packet size that can pass through above a kind of a certain layer of communication protocol)
Burst is carried out, a big flow message is divided into multiple data flows and handled, and records the burst information of each fragment message,
Such as source IP address, purpose IP address and processor are identified in burst information table, can so ensure to belong to same big stream
The fragment message of amount is finally handled in same processor, ensures homologous chummage.The fragment message for belonging to a stream together finally exists
After the completion of same processor processing, then according to the target MAC (Media Access Control) address of message, destination interface is sent to.
Fig. 5 is the structured flowchart of second of embodiment of packet parsing device of the present invention, as shown in figure 5, this second real
The difference of the structured flowchart and the structured flowchart of the first embodiment Fig. 4 Suo Shi of applying mode is also to include:
3rd processing module 560, flow is performed for carrying out plain edition message, and by message after the completion of processor processing
Send to destination interface, the common message is performed flow and refers to concurrently be adjusted using the hardware multinuclear of processor architectural framework design
Degree mechanism carrys out automatic dispatch processor processing message.
3rd processing module 560 further comprises:
3rd judge module 561, for judging whether the message of the reception is real-time type message or big flow message;
Herein due to the list item to match with message key message Key being not present in behavioural analysis table, i.e., can not pass through
Type of message in User behavior analytical table is marked to know that message is real-time type message or big flow message, now, can be led to
Other modes are crossed, as deep-packet detection DPI technologies carry out the type of analytic message.
First list item creation module 562, for when the message received is real-time type message, then with obtaining its source MAC
Location, target MAC (Media Access Control) address, source IP address, purpose IP address and protocol version, by above-mentioned source MAC, target MAC (Media Access Control) address,
Source IP address, purpose IP address and protocol version are set up into key message Key, and type of message mark flag is labeled as
0, then created in the behavioural analysis table corresponding with the key message Key and type of message of the establishment mark flag
List item;
Second list item creation module 563, be big flow message for working as received message, then obtain its source MAC,
Target MAC (Media Access Control) address, source IP address, purpose IP address and protocol version, by above-mentioned source MAC, target MAC (Media Access Control) address, source
IP address, purpose IP address and protocol version are set up into key message Key, and type of message mark flag is labeled as into 1,
Then the table corresponding with the key message Key and type of message of the establishment mark flag is created in the behavioural analysis table
.
Above-mentioned first list item creation module 562 and the second list item creation module 563, it is ensured that the packet parsing of present embodiment
Device can create in behavior analytical table according to packet parsing situation and add list item, so that next time receives the message of same type
When can directly carry out special type Message processing flow, realize the dynamic adding procedure of behavioural analysis table, improve packet parsing
Efficiency.
It should be noted that being set in above-mentioned embodiment when type of message mark flag is 0, real-time type is expressed as
Message, when flag is 1, it is expressed as big flow message.But above-mentioned setting means is not intended to limit the invention, it can root
Different settings is carried out according to actual conditions, such as real-time type message is represented when flag is 1, big flow report is represented when flag is 0
Text etc., its specific setting means can have varied, cover the technology of each type of message mark mode the present invention's
Within protection domain.
Message parsing method of the present invention carries out classification processing according to the analysis of message historical behavior to message, can be quick
And accurately handle message, and ensure the homologous chummage of big flow message, the real-time type message of quick response high priority it is excellent
First handle, improve the process performance of Network analyzing equipment.In addition, the Network analyzing equipment of the present invention connects again in identical message
Time receiving can avoid repeating a series of profound packet parsings, the burden of analytical equipment can so be aggravated, so as to save net
The cpu resource of network analytical equipment.In addition, heretofore described behavioural characteristic identification table can be preset behavior, in equipment plus
Load comes into force after starting successfully, can also support dynamic adding procedure, i.e., when message receives for the first time, is handled and carried by deep packet
Take the information such as message key message Key and type of message and be added to behavioural analysis table, in order to which next time receives same type report
Wen Shike is directly handled by different type of messages.
Embodiment described above only expresses the preferred embodiment of the present invention, and its description is more specific and detailed, but
Therefore the limitation to the scope of the claims of the present invention can not be interpreted as.It should be pointed out that the ordinary skill people for this area
For member, without departing from the inventive concept of the premise, various modifications and improvements can be made, these belong to the present invention's
Protection domain.Therefore, the protection domain of patent of the present invention should be determined by the appended claims.
Claims (8)
1. a kind of message parsing method, it is characterised in that including step:
Message is received, and obtains source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and the association of the message
Discuss version number, by above-mentioned source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and protocol version set up into
Key message Key;
Preset behavioural analysis table is inquired about according to the key message Key of the establishment, the behavioural analysis table is that one kind have recorded
The key message Key of message and its corresponding type of message mark flag and the Hash tables of Message processing action;
Judge whether received message is special type message, and the special type message refers to described group according to the Query Result
The message that the key message Key built can be queried in the behavioural analysis table;
When the message received is special type message, then it is real-time type message or big stream to determine whether the special type message
Amount type message, the big flow message are the non real-time type message of big data flow;
When the special type message is real-time type message, then this message is handled according to dispatching algorithm, priority scheduling processor in real time,
And message is sent to destination interface after the completion of processor processing;
When the special type message is big flow message, then burst processing is carried out to the big flow message, and by burst information
With the processor label record dispatched out into burst information table, according to the processor of the corresponding label of burst information list scheduling to point
Piece information is handled, and is sent after the completion of processing to destination interface.
2. a kind of message parsing method as claimed in claim 1, it is characterised in that described to judge that the special type message is real
When type message or the specific method of big flow message be:Judge the key message Key institutes inquired in behavior analytical table
Corresponding type of message mark flag is 0 or 1, if 0, then it represents that the special type message is real-time type message, if 1,
It is big flow message then to represent the special type message.
3. a kind of message parsing method as claimed in claim 1, it is characterised in that when the message of the reception is no special type
Message, it is the plain edition message that the key message Key of the establishment can not be queried in the behavioural analysis table, then enters
The common message of row performs flow, and sends message to destination interface after the completion of processor processing, and the common message performs
Flow refers to handle message using the hardware multinuclear concurrent scheduling mechanism of processor architectural framework design come automatic dispatch processor.
4. a kind of message parsing method as claimed in claim 3, it is characterised in that the common message, which performs flow, to be included:
Whether the message for judging the reception is real-time type message or big flow message;
If real-time type message, then its source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and agreement are obtained
Version number, above-mentioned source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and protocol version are set up into pass
Key information Key, and type of message mark flag is labeled as 0, then by the key message Key of the establishment and its corresponding report
Literary type mark flag is added in the behavioural analysis table as newly-increased list item;
If big flow message, then its source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and agreement are obtained
Version number, above-mentioned source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and protocol version are set up into pass
Key information Key, and type of message mark flag is labeled as 1, then by the key message Key of the establishment and its corresponding report
Literary type mark flag is added in the behavioural analysis table as newly-increased list item.
A kind of 5. packet parsing device, it is characterised in that including:
Receiving module, for receiving message, and obtain the source MAC of the message, target MAC (Media Access Control) address, source IP address, purpose
IP address and protocol version, by above-mentioned source MAC, target MAC (Media Access Control) address, source IP address, purpose IP address and agreement
Version number is set up into key message Key;
Enquiry module, for inquiring about preset behavioural analysis table, the behavioural analysis table according to the key message Key of the establishment
It is a kind of key message Key that have recorded message and its corresponding type of message mark flag and the Hash of Message processing action
Table;
First judge module, for judging whether received message is special type message according to the Query Result, the spy
Different type message refers to the message that the key message Key of the establishment can be queried in the behavioural analysis table;
Second judge module, it is special type message for working as received message, then determines whether that the special type message is
Real-time type message or big flow message, the big flow message are the non real-time type message of big data flow;
First processing module, for being real-time type message when the special type message, then according to dispatching algorithm, priority scheduling processing
Device handles this message in real time, and sends message to destination interface after the completion of processor processing;
Second processing module, for being big flow message when the special type message, then burst is carried out to the big flow message
Processing, and by burst information and the processor label record dispatched out into burst information table, according to burst information list scheduling phase
Answer the processor of label to handle burst information, sent after the completion of processing to destination interface.
6. a kind of packet parsing device as claimed in claim 5, it is characterised in that second judge module, further use
It is special type message in working as received message, judges corresponding to the key message Key that is inquired in behavior analytical table
Type of message mark flag is 0 or 1.
7. a kind of packet parsing device as claimed in claim 5, it is characterised in that when the message of the reception is no special type
Message, be the plain edition message that the key message Key of the establishment can not be queried in the behavioural analysis table, then institute
Stating resolver also includes:
3rd processing module, for carry out plain edition message perform flow, and processor processing after the completion of by message send to
Destination interface, the common message perform the hardware multinuclear concurrent scheduling mechanism that flow refers to design using processor architectural framework
Carry out automatic dispatch processor processing message.
8. a kind of packet parsing device as claimed in claim 7, it is characterised in that the 3rd processing module is further wrapped
Include:
3rd judge module, for judging whether the message of the reception is real-time type message or big flow message;
First list item creation module, for when the message received is real-time type message, then obtaining its source MAC, purpose
MAC Address, source IP address, purpose IP address and protocol version, by above-mentioned source MAC, target MAC (Media Access Control) address, source IP
Location, purpose IP address and protocol version are set up into key message Key, and type of message mark flag is labeled as into 0, then
The list item corresponding with the key message Key and type of message of the establishment mark flag is created in the behavioural analysis table;
Second list item creation module, it is big flow message for working as received message, then obtains its source MAC, purpose MAC
Address, source IP address, purpose IP address and protocol version, by above-mentioned source MAC, target MAC (Media Access Control) address, source IP address,
Purpose IP address and protocol version are set up into key message Key, and type of message mark flag is labeled as into 1, Ran Hou
The list item corresponding with the key message Key and type of message of the establishment mark flag is created in the behavioural analysis table.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710833249.4A CN107508827B (en) | 2017-09-15 | 2017-09-15 | Message parsing method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710833249.4A CN107508827B (en) | 2017-09-15 | 2017-09-15 | Message parsing method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107508827A true CN107508827A (en) | 2017-12-22 |
CN107508827B CN107508827B (en) | 2021-01-26 |
Family
ID=60696693
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710833249.4A Active CN107508827B (en) | 2017-09-15 | 2017-09-15 | Message parsing method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107508827B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107888710A (en) * | 2017-12-26 | 2018-04-06 | 新华三信息安全技术有限公司 | A kind of message forwarding method and device |
CN109672669A (en) * | 2018-12-03 | 2019-04-23 | 国家计算机网络与信息安全管理中心 | The filter method and device of traffic messages |
CN113162913A (en) * | 2021-03-15 | 2021-07-23 | 煤炭科学技术研究院有限公司 | Message analysis method and device of mine monitoring system |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102624611A (en) * | 2011-12-31 | 2012-08-01 | 成都市华为赛门铁克科技有限公司 | Method, device, processor and network equipment for message dispersion |
CN103514043A (en) * | 2012-06-29 | 2014-01-15 | 华为技术有限公司 | Multi-processor system and data processing method thereof |
CN103988543A (en) * | 2013-12-11 | 2014-08-13 | 华为技术有限公司 | Control device in wireless local area network, network system, and service processing method |
CN105939274A (en) * | 2016-05-17 | 2016-09-14 | 杭州迪普科技有限公司 | Message forwarding method and apparatus |
-
2017
- 2017-09-15 CN CN201710833249.4A patent/CN107508827B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102624611A (en) * | 2011-12-31 | 2012-08-01 | 成都市华为赛门铁克科技有限公司 | Method, device, processor and network equipment for message dispersion |
CN103514043A (en) * | 2012-06-29 | 2014-01-15 | 华为技术有限公司 | Multi-processor system and data processing method thereof |
CN103988543A (en) * | 2013-12-11 | 2014-08-13 | 华为技术有限公司 | Control device in wireless local area network, network system, and service processing method |
CN105939274A (en) * | 2016-05-17 | 2016-09-14 | 杭州迪普科技有限公司 | Message forwarding method and apparatus |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107888710A (en) * | 2017-12-26 | 2018-04-06 | 新华三信息安全技术有限公司 | A kind of message forwarding method and device |
CN109672669A (en) * | 2018-12-03 | 2019-04-23 | 国家计算机网络与信息安全管理中心 | The filter method and device of traffic messages |
CN109672669B (en) * | 2018-12-03 | 2021-07-30 | 国家计算机网络与信息安全管理中心 | Method and device for filtering flow message |
CN113162913A (en) * | 2021-03-15 | 2021-07-23 | 煤炭科学技术研究院有限公司 | Message analysis method and device of mine monitoring system |
Also Published As
Publication number | Publication date |
---|---|
CN107508827B (en) | 2021-01-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108712426B (en) | Crawler identification method and system based on user behavior buried points | |
CN107508827A (en) | A kind of message parsing method and device | |
CN103618733B (en) | A kind of data filtering system and method for being applied to mobile Internet | |
CN107769992B (en) | Message parsing and shunting method and device | |
CN105516390B (en) | Domain name management method and device | |
RU2010146258A (en) | METHOD, DEVICE AND SYSTEM FOR DISTRIBUTING MESSAGES | |
CN107623731A (en) | A kind of method for scheduling task, client, service cluster and system | |
CN102137070A (en) | Method, system and device for restricting user from logging in chat room | |
CN104348638A (en) | Method for identifying service type of session flow and system and equipment thereof | |
CN108462615A (en) | A kind of network user's group technology and device | |
CN111404768A (en) | DPI recognition realization method and equipment | |
CN104915252B (en) | A kind of process port management means and method | |
CN105046802A (en) | Multi-counter based bank queuing and number calling method and system | |
CN110034970A (en) | The network equipment distinguishes method of discrimination and device | |
CN104980409A (en) | Internet behavior management method and device | |
CN105072050A (en) | Data transmission method and data transmission device | |
CN103442096A (en) | NAT method and system based on mobile Internet | |
CN103812774B (en) | Tactics configuring method, message processing method and related device based on TCAM | |
CN104182546B (en) | The data query method and device of database | |
CN111177281B (en) | Access control method, device, equipment and storage medium | |
CN102629345A (en) | Chain type communication cooperation method, apparatus and system thereof | |
CN107948022A (en) | A kind of recognition methods of peer-to-peer network flow and identification device | |
CN106453677A (en) | Address allocation method and apparatus | |
CN113596105B (en) | Content acquisition method, edge node and computer readable storage medium | |
CN109547475A (en) | Business experience analysis system based on the acquisition of native network data traffic |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |